Ever since Vista came out, users have been trying to find ways to avoid the “Elevation Prompt” when running things which require administrative access. There are lots of obvious solutions, but I’ve found one that’s not so obvious, and I’ve found an easy way to use it with PowerShell. First though, an explanation of what this is, and some of the “obvious” solutions.

UAC overview (feel free to skip this)

User Account Control (UAC) is a mechanism in Vista which finally brings Windows into the world of restricted user accounts that OS X and Unix/Linux have been in for years. Essentially it’s a mechanism which protects certain areas of the operating system from being changed (or even accessed) by users who don’t have administration rights. You can disable UAC completely, but it’s highly unrecommended — it’s basically like making all of your users into “root” level administrators, and it’s obviously overkill if all you want is for your administrator accounts to get prompted less.

There are several things you can do to leave the UAC mechanism in place while reducing the annoyance for users: they are all present as settings in the Local Security Policy snapin (secpol.msc) which controls the behavior of UAC and it’s elevation prompt. You can choose to require explicit login for everyone (a good idea for the family computer if you all share a single account) or to simply “Prompt for consent” for certain administrators, or even to Elevate without prompting which is basically like having all your administrators running as root (this is a logical idea only if you don’t normally log in as an administrator: it lets you have no prompting when you’re running as an administrator). Finally, you can tweak the behavior of the elevation prompt by disabling the “secure desktop,” this doesn’t get rid of the prompts, it just makes them a little less disruptive.

So far, this is all very much like a Mac or Linux system: with the exception that unlike OS X and Linux, Vista doesn’t just run the apps and let them fail with cryptic errors if they need administrative rights: it detects the attempt to access things which require administrative privileges and proactively prompts you to elevate them. Of course, there is another difference: most Windows apps aren’t written with this in mind: they insist on installing into the global “Program Files” folder instead of into the per-user apps folder (C:\Users\Name\AppData\Local\Apps\), and on accessing the registry, etc. This will change with time, but there will always be apps which need administrative access to install, and some which are actually for administering your system and will therefore always require administrative rights.

What about SetUID?

The problem is that the one thing Linux and OS X have that seems missing in Vista is the “setuid” feature: this allows you to specify that specific application always run with the rights of a specific user. The idea is that you control access to the specific file, but you set it to run as an administrator. This way “any” user who can access the app can run it without needing to have access to an administrator account. It allows you to give users access to some administration tools without giving them access to all of them.

It turns out that Vista has a feature like this hidden in the Task Scheduler. It’s not quite the same as setuid, you can’t use it to allow users to run interactive applications as other users, but it will allow you as a member of the administrator group to create tasks that run with “Highest Privileges” (that is: “Elevated”, or “as administrator”) without needing to deal with the elevation prompt each time. This solution is ideal for those tasks which you use repeatedly and which always require admin rights — but probably shouldn’t be used if non-administrators might use your account, and it can be scripted using PowerShell. (more…)

So, I noticed WordPress 2.3 was out, and upgraded with no issues. Of course, then I switched all my categories into tags, and changed my permalinks to leave out my nickname (something I couldn’t do with the old WordPress I was running) and things started going missing.

Using some .htaccess rules I was able to redirect my category index pages to the new tag pages fairly successfully, so that people’s bookmarks and feedreaders (don’t forget people can subscribe to feeds for all of these weird index pages) in what I hope is a clean way:

Some interesting things to note:

• You have to redirect your categories to the tags page so that user agents (browsers and RSS readers) can update their links (if they bother, sigh).
• You have to take special care of the fact that people can reach the rss feeds as categoryname/feed/ or categoryname/feed/rss/ or categoryname/rss/ ...
• You need to be careful with the redirects because you can cause infinite loops.
• You can link to tags and their feeds as UNIONS or as INTERSECTIONS, but not both.

Did you know that people can navigate to pages for multiple tags? In fact, /tags/powershell+development/ will link to items tagged with both powershell and development, whereas /tags/powershell,scripting/atom is the Atom feed for items tagged with either PowerShell or Scripting (or both). I wrote my rules to target the intersection, since that’s sort-of how categories worked so it most nearly preserves my previously working feeds.

I also picked a random new theme, as you can see — I’ve been working on it for a couple of evenings, and there’s still more work to do. So far I’ve widget-enabled it, and partially tag-enabled it … I’m going through the process of modifying a couple of my plugins into widgets (how did I miss this so completely in the past?), and then I’ll hide that extra sidebar on the post pages, and make it variable width.

I suppose I need to modify the header too, it’s hard to read, and if anyone has any ideas about a better way to present code … I’m open to suggestions. Of course… I also need to make it all validate XHTML 1.1 Strict (‘cause I’m like that).

I have several PowerShell scripts and functions that I’ve written in the last few months which take a file or folder path as an argument, and the problem is that most of them need to validate the path in one way or another, and generally speaking this means that you have to pass in a fully qualified path, because they have no simple way to find the file if you pass in a partial, relative path, or the name of a file that’s on your system path.

Anyway, I finally worked up a function to resolve paths taking the current directory and the environment path variable into account:

It’s actually pretty simple … it uses the Test-Path method to see if you passed in a full path, and otherwise searches the current directory and all the directories in the PATH to find a matching item. You can specify if you want the -Type "Leaf" (e.g.: files) or -Type "Container" (e.g.: folders) and you can set the -All switch to return all matches in the path instead of just the first one. As you may have guessed, the path doesn’t necessarily have to be a FileSystem path, it will resolve other PSProvider paths based on the current Location. I have it search the paths in the Environment:\Path because I’m mostly concerned with file and folder paths … but aside from that, there’s no equivalent collection of paths for other providers … maybe someone should add some …

So this goes in the “WORSE THAN FAILURE” bucket …

I got an email from my dad this week wondering if I knew “What in the world is this message that keeps coming up every time we start Mom’s computer? It began appearing right after I inserted the removable hard drive to do the most recent backup.” He attached the following screen shot from Windows XP which pretty much speaks for itself (as much as such a thing can):

To be honest, I’ve never heard of it. No Disk? Exception Processing Message? What on earth … I did a web search or two and came up with several fairly recent threads on every tech support site out there … none of which had anything resembling an authoritative answer.

My best guess from the DaniWeb and TechGuy threads is that there is some media app running on startup, but I’ve already had them disable everything in their MSConfig startup tab without getting rid of this annoying message which takes multiple clicks to actually go away.

I had them bring up Task Manager and determined that the message window seems to be owned by the csrss.exe process … apparently it’s only started happening recently after a reboot when my dad switched out the removable hard disks they have been using for backups for years … seems like maybe it’s a recent Windows update but at this point I have no idea, so I guess I’ll try poking around when I get over to their house next time. Anyone have any ideas?